Description
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.
References (2)
Core 2
Core References
Vendor Advisory
https://security.gradle.com
Mitigation, Vendor Advisory
https://security.gradle.com/advisory/2022-12
Scores
CVSS v3
7.5
EPSS
0.0063
EPSS Percentile
45.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-863
Status
published
Products (1)
gradle/enterprise
2020.4 - 2022.3.2
Published
Oct 07, 2022
Tracked Since
Feb 18, 2026